Incorrect Permissions on /tmp Privacy and Legal Notice

CIAC INFORMATION BULLETIN

F-27: Incorrect Permissions on /tmp

August 17, 1995 1200 PDT
PROBLEM:        A vulnerability exists in Solaris 2.x systems that allows
		a race condition to be exploited to gain root access.
PLATFORM:	Sun Solaris 2.x (SunOS 5.x) and Solaris 2.4x86 
DAMAGE:         Users logged into a system may gain unauthorized root
		privileges.
SOLUTION:       Use the workaround contained in this bulletin to modify the
		sticky bit on the /tmp directory.
AVAILABILITY:	See the workaround that is contained in this bulletin

VULNERABILITY Unprivileged users who are logged on to a system can use this ASSESSMENT: vulnerability to gain unauthorized root privileges. An exploit program for this vulnerability has been published publically. CIAC advises that the workaround described below be performed immediately.

CRITICAL Information on the Incorrect Permissions on /tmp

CIAC has received information from the Australian Computer Emergency Response Team (AUSCERT) and from the bugtraq mailing list that a vulnerability has been identified in Solaris 2.x systems that allows a race condition to be exploited to gain root access. The basic problem is that the sticky bit is sometimes not set on the /tmp directory. This improper setting causes users to be able to access other user's files in the /tmp directory.

Sun Microsystems has confirmed this vulnerability and is currently testing patches for this vulnerability. Patches from Sun Microsystems will be for Solaris 2.3, 2.4 and 2.4x86. Sun Microsystems expects to have patches available within about a week. This vulnerability has been fixed in the upcoming release of Solaris.

Detailed Description

A race condition has been identified in at least one Solaris 2.x system program which can be exploited to gain root access if a user has access to the temporary files. Access to these temporary files may be obtained if the permissions on the /tmp and /var/tmp directories are set incorrectly. The permissions on the /tmp directory are often reset improperly by the system if tmpfs (which is mounting swap as /tmp) is in use.

This vulnerability affects the Solaris 2.x (SunOS 5.x) systems. A vulnerability similar to this affected SunOS 4.1.x (Solaris 1.x) systems in the past. Therefore, CIAC recommends that these systems also be checked for the correct permissions. The remainder of this bulletin shows how to identify if this vulnerability exists on your system and additionally identifies commands to be used as a workaround to this vulnerability. Commands shown are for Solaris 2.x systems. Similar commands and configurations exist for SunOS 4.1.x users.

To determine if you are running tmpfs, the following command can be used to verify if the filesystem for /tmp is swap:

	$ /usr/sbin/df -k /tmp
	Filesystem            kbytes    used   avail capacity  Mounted on
	swap                  158728      28  158700     0%    /tmp
or look in the file /etc/vfstab for the configuration line:

#device         device          mount           FS      fsck    mount   mount
#to mount       to fsck         point           type    pass    at boot options
#
swap            -               /tmp            tmpfs   -       yes     -
If either of these two conditions exist, then you are running tmpfs and the system may automatically reset the permissions bits of /tmp at the next reboot.

To verify if your configuration is vulnerable, the following command may be used:

$ ls -ld /tmp
drwxrwxrwt   5 root     root         306 Aug 16 11:12 /tmp
	 ^
	 ^ (Sticky bit is set -- system not currently vulnerable)

$ ls -ld /tmp
drwxrwxrwx   5 root     root         306 Aug 16 11:12 /tmp
	 ^
	 ^ (Sticky bit is not set -- system is vulnerable)
If the sticky bit (t) is not set, then the system is vulnerable.

WORKAROUNDS

These workarounds have been verified with Sun Microsystems. Sun Microsystems expect a patch to be released in the near future.

  1. Immediate Workaround

    The immediate workaround is to set the sticky bit on the /tmp directory using the following command as root:

    	# /usr/bin/chmod 1777 /tmp
    
    Note that this command must be performed after each reboot if you are mounting swap as /tmp (using tmpfs).

    In addition, the ownership and group membership of the /tmp directory should be verified using ls -ld /tmp and if incorrect may be reset by issuing the following commands:

    	# /usr/bin/chown root /tmp
    	# /usr/bin/chgrp root /tmp
    
  2. System Reboot workaround

    It is possible to perform these commands automatically at reboot by creating the following script as /etc/init.d/tmpfsfix:

     -------------------------8<--- cut here ---8<--------------------------------
    #!/bin/sh
    
    if [ -d /tmp ]
    then
       /usr/bin/chmod 1777 /tmp
       /usr/bin/chgrp root /tmp
       /usr/bin/chown root /tmp
    fi
    #
    # end of script tmpfsfix
     -------------------------8<--- cut here ---8<--------------------------------
    
    A symbolic link should be then be created called /etc/rc3.d/S79tmpfix which points to /etc/init.d/tmpfsfix by issuing the following command as root:

    	# /usr/bin/ln -s /etc/init.d/tmpfsfix /etc/rc3.d/S79tmpfix
    
  3. /var/tmp permissions

    The /var/tmp directory should be similarly checked and corrected. Note that this directory is not usually mounted as tmpfs, and therefore is not subject to automatic resetting of its permission bits on reboot.

    	% ls -ld /var/tmp
    	drwxrwxrwt  2 root          512 Aug 15 11:35 /var/tmp
    

CIAC wishes to thank the AUSCERT team and Mark Graff of Sun Microsystems for providing the information contained in this bulletin.

DOE-CIRC can be contacted at:
    Voice:          +1 866-941-2472 (7 x 24)
    E-mail:          doecirc@doecirc.energy.gov
    World Wide Web:  http://www.doecirc.energy.gov/